DATA PROTECTION AGREEMENT

This Data Processing Agreement, including its Schedules, (“DPA”) forms part of the Aerie SaaS agreement other similar written or electronic agreement between the AerieHub / Aerie LLC, dba Aerie Engineering (“Aerie”) with an office at 1200 Woodruff Road, C-6, Greenville, South Carolina, 29607, and Customer (as defined below) (together with any applicable Statement of Work, the “Agreement”) to reflect the parties’ obligations with respect to the Processing of Customer Personal Data (as defined below). This DPA will be effective as of the date of the last signature below (“Effective Date”).

In consideration of the mutual covenants, promises, and conditions contained herein, the parties agree as follows:

1. Definitions. For purposes of this DPA, the following terms will have the meanings set forth below. Capitalized terms used but not otherwise defined in this DPA will have the meaning given to them in the Agreement.
   1. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
   1. “Applicable Data Protection Laws” means any laws and regulations related to privacy, security, and/or the Processing of Customer Personal Data applicable to each respective party, each as amended, replaced, or superseded from time to time.
   1. “Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
   1. “Customer” means the person or entity that has entered into the Agreement.
   1. “Customer Personal Data” means any Personal Data governed by Applicable Data Protection Laws that is Processed by Aerie or a Sub-processor on behalf of Customer in the provision of the Services under the Agreement.
   1. “Data Subject” means the identified or identifiable person to whom Personal Data relates.
   1. “Personal Data” means (a) information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular person or household; and (b) any information defined as “personal data”, “personal information,” or other similar terms under Applicable Data Protection Laws.
   1. “Processing” means any operation or set of operations that is performed upon Personal Data, whether or not by automatic means, such as access, collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, return or destruction. The terms “Process”, “Processes” and “Processed” will be construed accordingly.
   1. “Processor” means any person or entity which Processes Customer Personal Data, including as applicable any “service provider” or “contractor” as those terms are defined by Applicable Data Protection Laws.
   1. “Regulator” means any independent public authority, government agency, and any similar regulatory authority responsible for the enforcement of Applicable Data Protection Laws.
   1. “Security Incident” means a breach of Aerie’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data transmitted or stored by Aerie.
   1. “Services” means collectively, any software-as-a service and related services or professional services Aerie is providing to Customer under the Agreement.
   1. “Sub-processor” means any Processor engaged by Aerie who may Process Customer Personal Data in the course of Aerie’s provision of the Services.
2. Processing of Customer Personal Data
   1. Customer agrees to make Customer Personal Data available to Company for the limited and specified purpose of providing the Services as contemplated by the Agreement and this DPA. The subject-matter and details of Aerie’s Processing (including the duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects) are set forth in Schedule A attached to this DPA.
   1. Aerie acknowledges and agrees that, with regard to the Processing of Customer Personal Data, Aerie is acting as a Processor. Aerie will comply with all applicable obligations of Applicable Data Protection Laws, including – with respect to Customer Personal Data – providing the same level of privacy protection as required by Applicable Data Protection Laws, and will notify Customer if Aerie determines it can no longer meet its obligations under Applicable Data Protection Laws. Further, to the extent required by Applicable Data Protection Laws, Aerie certifies that it understands the obligations and restrictions imposed on it by Applicable Data Protection Laws in its role as a Processor and will comply with such obligations. To the extent required by Applicable Data Protection Laws, Customer has the right to take reasonable and appropriate steps to help ensure that Aerie uses Customer Personal Data in a manner consistent with Customer’s obligations under Applicable Data Protection Laws, including without limitation, the right upon notice to stop and remediate Aerie’s unauthorized use of Customer Personal Data.
   1. Aerie will Process Customer Personal Data only (a) to provide Customer the Services and to fulfill its obligations under the Agreement in accordance with Customer’s documented instructions; and (b) for business operations incident to providing the Services to Customer. Customer agrees that the terms of the Agreement (including this DPA), along with the product documentation and Customer’s use and configuration of features in the Services, are Customer’s complete documented instructions to Aerie for the Processing of Customer Personal Data. The restrictions set forth in this DPA shall not restrict Aerie’s ability to Process Customer Personal Data where required to do so by applicable laws to which Aerie is subject.
   1. Aerie will not:
      1. retain, use, or disclose Customer Personal Data for any purpose other than to perform its obligations under the Agreement, which for the avoidance of doubt prohibits Aerie from retaining, using, or disclosing Customer Personal Data outside of the direct business relationship with Customer or for any other purpose, unless permitted by Applicable Data Protection Laws;
      1. “sell” or “share” (as those terms are defined by Applicable Data Protection Laws) Customer Personal Data; or
      1. combine Customer Personal Data with Personal Data Aerie receives from or on behalf of another person or entity or collects from its own interactions with a Data Subject except to perform a business purpose as defined in regulations adopted pursuant to Cal. Civ. Code 1798.185(a)(10).
   1. Customer will:
      1. be responsible for complying with Applicable Data Protection Laws when making decisions and issuing instructions for the Processing of Customer Personal Data, including securing all permissions, consents or authorizations that may be required; and
      1. defend and indemnify Aerie, its Affiliates, and Sub-processors for any claim brought against them arising from an allegation of Customer’s breach of this section, whether by a Data Subject or a Regulator.
3. Confidentiality
   1. Aerie will take reasonable steps to ensure access to Customer Personal Data is limited to those individuals who (a) have a need to know or otherwise access Customer Personal Data to enable Aerie to perform its obligations under the Agreement and this DPA, or as required by applicable law; and (b) are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
4. Security
   1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Aerie shall in relation to the Processing of Customer Personal Data maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, as appropriate, those measures required by Applicable Data Protection Laws. Such safeguards are further specified in Schedule B attached to this DPA. In assessing the appropriate level of security, Aerie shall take into account the risks that are presented by Processing, in particular from a potential Security Incident.
5. Security Incident Notification
   1. Aerie will notify Customer without undue delay, and within the timeframes required by Applicable Data Protection Laws, upon Aerie becoming aware of any Security Incident. To the extent known, Aerie will provide Customer with sufficient information about the Security Incident to allow Customer to meet its reporting obligations under Applicable Data Protection Laws.
   1. Aerie will cooperate with Customer and take commercially reasonable steps to assist in the investigation, mitigation and remediation of such Security Incident.
   1. Aerie’s notification of or response to a Security Incident under this section is not an acknowledgement by Aerie of any fault or liability with respect to the Security Incident.
6. Sub-processors
   1. Customer agrees that Aerie may engage Sub-processors to Process Customer Personal Data on Aerie’s behalf.  The Sub-processors currently engaged by Aerie and authorized by Customer are listed in Schedule C attached to this DPA.
   1. Aerie shall notify client (for which email will suffice) if it adds or removes Sub-processors at least ten (10) calendar days prior to any changes.  Customer may object in writing to Company’s appointment of a new Sub-processor within ten (10) calendar days of such notice, provided that such objection is based on reasonable grounds relating to data protection. [In the event that Client objects to such Sub-processor in accordance with this Section 6.2, Company shall provide to Aerie a change in the Services or an acceptable substitute Sub-processor such that the Personal Data will not be Processed by the objected-to new Sub-processor. In the event that Company does not or is unable to make such change within a reasonable period of time, Aerie may terminate the applicable Services by providing written notice to Company.]
   1. With respect to each Sub-processor, Aerie will:
      1. Ensure that the arrangement between Aerie and the Sub-processor is governed by a written contract which offers substantially the same level of protection for Customer Personal Data as required by this DPA and Applicable Data Protection Laws; and
      1. To the extent required by Applicable Data Protection Laws, remain fully liable to Customer for any failure by any Sub-processor to fulfil its obligations in relation to the Processing of any Customer Personal Data.
7. Data Subject Rights
   1. Taking into account the nature of the Processing of Customer Personal Data, Aerie will:
      1. Notify Customer without undue delay if Aerie receives a request from a Data Subject under any Applicable Data Protection Laws in respect to Customer Personal Data;
      1. Reasonably assist Customer through appropriate technical and organizational measures, insofar as this is possible, to fulfil Customer’s obligation to respond to Data Subject requests arising under Applicable Data Protection Laws, and where Customer is unable to respond to Data Subject requests through the information available by the Services.
8. Deletion of Customer Personal Data
   1. Subject to Section 8.2, Aerie will promptly upon Customer’s request or in any event within sixty (60) calendar days of the effective date of termination of the Agreement: (a) return a copy of all Customer Personal Data to Customer; or (b) delete and procure the deletion of all other copies of Customer Personal Data in Aerie’s possession.
   1. Aerie may retain Customer Personal Data to the extent required by applicable law and only to the extent and for such period as required by applicable law and always provided that Aerie will continue to ensure the security and confidentiality of all such Customer Personal Data and only Process such Customer Personal Data as necessary for the purpose specified in the applicable laws requiring its storage and for no other purpose. 

• Obligations to Assist Customer
  • Taking into account the nature of the Processing and information available to Customer, in each case solely in relation to Aerie’s Processing of Customer Personal Data, Aerie will provide such assistance as Customer reasonably requires in ensuring compliance with Customer’s obligations under Applicable Data Protection Laws, including but not limited to any data protection impact assessments and any prior consultations with any Regulator where required.
• Audits
  • Aerie will make available to Customer on request information necessary to demonstrate Aerie’s compliance with this DPA, as well as any Applicable Data Protection Laws.
  • To the extent required by Applicable Data Protection Laws, Aerie will allow for and contribute to audits by Customer, or an independent auditor engaged by Customer, that is not a competitor of Aerie, in relation to Aerie’s Processing of Customer Personal Data; provided that:
    • Customer notifies Aerie in writing with reasonable notice (not less than 30 business days) that such audit is required by Customer;
    • The parties mutually agree to the scope of any such audit;
    • Customer ensures that all information received or generated by the Customer or its auditor(s) in connection with such audits is kept strictly confidential (except for disclosure to Regulator or as otherwise required under the Data Protection Laws);
    • Customer ensures that the audit takes place during normal business hours and causes as little disruption as possible to the business operations of Aerie and the business operations of the Sub-processors;
    • No more than one such audit shall be conducted in any 12-month period, unless required by a Regulator; and
    • Customer bears the cost and expense of any audit.
• General Terms
  • Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA will remain valid and in force. The invalid or unenforceable provision will be either: (a) amended as necessary to ensure its validity and enforceability, while preserving the intent of the provision as closely as possible or, if this is not possible; (b) construed in a manner as if the invalid or unenforceable part had never been contained therein.
  • Aerie reserves the right to make updates and changes to this DPA from time to time. Such changes will become effective upon 30 days’ written notice to Customer.
  • Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement and the applicable cap (maximum) for the relevant party set forth in the Agreement. Any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and this DPA together.
  • In the event of any conflict between the terms of the Agreement and this DPA related to the processing of Customer Personal Data, the terms of this DPA will prevail.
  • This DPA will be governed by and construed in accordance with the laws stipulated in the Agreement, unless required otherwise by Applicable Data Protection Laws.

IN WITNESS WHEREOF, the parties have caused this DPA to be executed by their respective duly authorized representatives as set forth below.

Aerie, LLC dba Aerie Engineering By:                                                                              Name:   _                                                                   Title:      President                                                   Date:     May 1, 2025

Customer By:                                                                             Name:                                                                       Title:                                                                          Date:

List of Schedules:

Schedule A: Details of Processing

Schedule B: Description of Technical and Organizational Security Measures

Schedule C: List of Sub-processors

Schedule A

Details of Processing

1. Subject Matter of Processing

The subject-matter of Processing of Customer Personal Data by Aerie is the performance of the Services pursuant to the Agreement.

• Nature and Purpose of Processing

Customer Personal Data will be Processed as necessary to perform the Services pursuant to the Agreement and will be subject to the following basic Processing activities (please specify):

þ Receiving data, including collection, accessing, retrieval, recording, and data entry

þ Holding data, including storage, organization, and structuring

þ Using data, including analyzing, consultation, testing, automated decision making and profiling

þ Updating data, including correcting, adaptation, alteration, alignment, and combination

þ Protecting data, including restricting, encrypting, and security testing

þ Sharing data, including disclosure, dissemination, allowing access or otherwise making available

þ Erasing data, including destruction and deletion

☐ Other (please provide details of other types of processing): and may be subject to the following Processing activities:

• Duration of Processing

Subject to Section 8 of the DPA, Aerie will Process Customer Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.

• Categories of Data Subjects

The Personal Data Processed concern the following categories of Data Subjects (please specify):

Employees, contractors

• Types of Personal Data

The Processing will involve the following types of Personal Data (please specify):

Name, work phone number, work email address, job title, signatures

Schedule B

Description of Technical and Organizational Security Measures

The following checklist set out the description of the technical and organizational security measures implemented by Aerie in relation to the Services:

þ We use firewalls to protect our internet connection.

þ We choose the most appropriate secure settings for our devices and software.

þ We control who has access to your data and services. Customer determines all AerieHub library users. Only Aerie employees working in the library have access to the data.

þ We protect ourselves from viruses and other malware. All our devices are maintained with the latest security through our third-party service, PTG.  AerieHub is protected in Microsoft Azure by Cloudflare.

þ We keep our software and devices up-to-date

þ We regularly backup our data: Data is backed up instantly in Azure. Customer files are backed up with CrashPlan prior to uploading to Azure.

Schedule C

List of Sub-processors

The following table sets out the list of Sub-processors that Customer has specifically authorized as of the Effective Date.

Entity Name	Entity Address	Description of Service/Processing Activity
None	n/a	n/a